- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 23 Dec 2009 15:05:01 +0100
- To: "Kenton Varda" <kenton@google.com>, "Adam Barth" <w3c@adambarth.com>
- Cc: "Ian Hickson" <ian@hixie.ch>, "Tyler Close" <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Tue, 22 Dec 2009 02:48:42 +0100, Kenton Varda <kenton@google.com> wrote: > It *is* a problem today with XMLHttpRequest. This is, for example, one > reason why we cannot host arbitrary HTML documents uploaded by users on > google.com -- a rather large inconvenience! If it were feasible, we'd be > arguing for removing this ability from XMLHttpRequest. However, > removing a feature that exists is generally not possible; better to > avoid adding it in the first place. There are plenty of other features that already make that impossible. > With CORS, the problems would be worse, because now you not only have to > ensure that your own server is trust-worthy and free of CSRF, but also > the servers of everyone you allow to access your resource. Problems are > likely to multiply exponentially. Isn't this also true for the non-CORS solution? A secret token can be stolen as well. I'm personally not really married to either approach, but it is still not clear to me how to me how can make us of UM to address the use cases CORS has. And for the cases where UM can replace it it appears to be much more complicated, which I do not think is a good sign if we expect authors to make mistakes. I tried to clarify the use cases for CORS here (if more detail is needed please let me know): http://dev.w3.org/2006/waf/access-control/#use-cases It would be nice to have sufficient detail on how each of these would work with UM so we can evaluate things better. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 23 December 2009 14:40:47 UTC